On Fri, Apr 24, 2009 at 4:39 AM, Dan Harnett <dan...@harnett.name> wrote: > Huh? Spammers have been using throw away domains for ages. Adding a > SPF record to their own domains has been trivial. No spoofing required. > Basically, you're accepting input from the bad guys and treating it as > valid and trusted. Bad idea.
If they use throw away domains, then another solution would be to go on the age of the domain - which a simple WHOIS check can obtain and would theoretically be very difficult to forge, especially if you go straight to one of the NICs for that info. This would come with some caveats - it would be easy to thwart by getting throwaway domain names and sitting on them for awhile in a sort of FIFO queue, adding new ones to the end when the first gets thrown away. On top of that, it would mean companies who are just getting a start in the online business could be waiting awhile to email potential clients whose mail servers are using this method to filter spam. On top of that, if VeriSign could be tricked into signing a fake Microsoft ActiveX key, can you really trust the authorities? The reality is that any solution to try and block spammers would be thwarted if a spammer were able to acquire the means to use it to validify themselves fraudulently. Spam is a battle - the least we can hope for is to make it a battle for them as well. -- Aaron Mason /Oh, why does everything I whip leave me?/